kubectl connect with remote cluster from scratch

5/12/2018

I've created a local Kubernetes cluster using ansible. Everything is running but now I try to connect my kubectl with the cluster (in the VM's).

My cluster is running on https://IP:6443

First I got:

$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

So I tried this solution:

kubectl config set-credentials kubeuser/IP --username=kubeuser --password=kubepassword
kubectl config set-cluster IP --insecure-skip-tls-verify=true --server=https://IP:6443
kubectl config set-context default/IP/kubeuser --user=kubeuser/IP --namespace=default --cluster=IP
kubectl config use-context default/IP/kubeuser

and tried again:

$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list pods in the namespace "default"

I understand I need to create a clusterrolebinding but I still need an initial "admin-ownership" for that? What step am I missing or doing wrong so I can access my cluster with kubectl and get my pods?

-- DenCowboy
kubectl
kubernetes
rbac

1 Answer

5/14/2018

Kubectl is a command line tool for remote management of Kubernetes cluster.

Kubectl is using a config file you must have to connect to the cluster. It is possible that your config file is inconsistent due to a lot of major or minor changes. If further analyses of the issues does not show good results, try to rm -f ~/.kube/config and start it from scratch.

As I see, you suspect that the problem is with the self signed certificates. It may require updating cluster root Certificate Authority (CA) on clients, then refreshing the local list for valid certificates.

Go to your local CA directory, check if ca.crt file exists, then copy it to the clients. For clients, perform the following operations:

sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
sudo update-ca-certificates

I agree with the suggestion provided by Matthew L. Daniel:

cluster: tag accepts either the filename of the CA certificate or an "inline" base64-ed version of the PEM you can see it with:

kubectl config set-cluster $foo --certificate-authority=... --embed-certs=true

or you can cheat and use --insecure-skip-tls-verify=true to switch off the CA verification for testing things

If you do not have a certificate generated during the instalation of Kubernetes, I suggest starting with Kubernetes TLS documentation. You may have a look at Kubernetes cloud providers like GKE or AKS - they give a possibility to create Kubernetes config file remotely with all certificates included, and then download it to a local ~/.kube directory. Maybe this will solve some issues with the config if you adopt it to local installation. It works like a charm and saves a lot of time. If you’re still undecided, please provide here the output of kubectl config view for us to help you with your trouble. (Please remove sensitive data from it before posting here).

-- d0bry
Source: StackOverflow